Video Screencast Help
Security Response

Chinese Ransomlock Malware Changes Windows Login Credentials

Created: 21 Aug 2013 10:25:27 GMT • Updated: 23 Jan 2014 18:04:35 GMT • Translations available: 日本語
Flora Liu's picture
+2 2 Votes
Login to vote

Although ransomware has become an international problem, we rarely see Chinese versions. Recently, Symantec Security Response noticed a new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked.

This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation)so that once the computer has restarted, and the user is unable to log in, they will see the account name/message and contact the user ID in order to get the new password.

Figure1_Edit.png

Figure 1. Login screen with changed account name after system restart

If the victim contacts the provided user ID, who is more than likely the malware author, they will see a statement on the profile page asking for approximately 20 Chinese Yuan (US$3.25). The statement says that the login password will be sent as soon as the money is received and that if the malware author is pestered by the user they will be blocked.

Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:

  1. Use password “tan123456789” to log into the system and reset the password (as mentioned before, this might not always work as the password may be changed by the malware author)
  2. Use another administrator account to log into the system and reset the password
  3. If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password
  4. Use Windows recovery disk to reset the password